This invention relates generally to video communication systems and more particularly concerns an interactive video information retrieval system enabling a viewer to access continually updated information resources such as program guides, sports activities, weather, financial reports and the like.
It is generally accepted that before the year 2000 there will be 150 plus cable channels to choose from. Such concepts as movies-on-demand, two-way interactive TV, interactive program guides, and enhanced xe2x80x9cpeople metersxe2x80x9d are already being tested or soon will be.
To facilitate the use of this technology, there is a need for an interactive video system that will help subscribers to navigate through their video resources. No such system is presently available.
Furthermore, while there is a need for subscriber flexibility in use of such a system, security to prevent unauthorized use of the system is also essential.
There are presently known smart card implementations which rely upon the use of an external and secure computer system to achieve data security. When the interface computer is not secure, such as when a product can be reverse engineered and the firmware modified and examined, then the security of these present methods is weak at best.
The four basic methods presently known for achieving security in known smart card systems are, therefore, inadequate to the present application. In one method, access applicating keys lock out various portions of a smart card until a valid key is presented to the card. The access keys may be presented in the clear or encrypted. In a clear key presentation, after the key is used once, then it is always known. In an encrypted key presentation, the smart card generates a random number. The decoder uses this random number, the key and the algorithm used in the decoder to generate the encrypted key data. Whether clear or encrypted, if all this information resides in the decoder firmware, then it can easily be reverse engineered.
Another security method employs random numbers. If a smart card generates a random number and sends this out, then it must receive the encrypted version of the random number using an internal key. But the only way an outside computer can generate the correct encrypted version is to have the same key and algorithm. As a result, the key and the algorithm must reside in the insecure decoder firmware.
A third security method uses authentication. Two way authentication provides good security where each side encrypts information with a known key and then the other unit must decrypt and then encrypt with another known key. This allows both sides to know that the other side has valid keys and the correct algorithm. But, for the decoder to do authentication with the smart card, all the information again resides in the insecure firmware.
One final security method exercises control of the smart card. It assumes that all the commands going to the smart card are generated and controlled by a secure computer. But in the case of the decoder of the present invention, all smart card commands can be intercepted or changed to the benefit of someone trying to defeat the system. Even something as simple as erasing a hidden key, which on some cards first requires that the key be unlocked, may open the information up to examination and changes.
It is, therefore, a primary object of this invention to provide an interactive, video display, data system affording flexibility to the subscriber in accessing a wide variety of data content and formats. In conformance with this primary object, it is further among the objects of this invention to provide an interactive, video display, data system that employs downloadable operating software at the customer""s site, that enables the customer to operate the system by one of a variety of standard remote controls, that is capable of constant data base updating and that can be made available at little or no cost to the customer.
Another primary object of this invention is to provide an interactive, video display, data system that affords security to the cable company or other distributor against unauthorized access to the data base. In conformance with this primary object, it is further among the objects of this invention to provide an interactive, video display, data system which employs a smart card encryption-decryption system that has a decryption card at the customer""s site which contains keys completely locked in the card, that uses a random feed key which precludes determination of a fixed key that will always work, and that is upgradable to extend and expand services available to the customer.
In accordance with the invention, an interactive video system is provided in which a composite digital information signal is formed by the combination of a winnowed generic information signal with a local information signal. This composite signal is further manipulated to produce an output signal which includes both data code and object code. This output signal is then formatted and transmitted via one or more modulator cards at the system head end to decoders located at the individual user""s television set.
The signal transmitted from the modulator card is formed by use of a dynamic gate array having a configuration sequence determined and maintained by a resident configuration EPROM. Consequently, the configuration of the array can be changed in the field by the replacement of the EPROM. Data is fed to the configured array under the control of a control data EPROM also resident in the modulator card. A transmission modulator in the modulator card receives the data from the dynamic gate array for transmission via any selected medium to the user""s location. For example, the transmission modulator may be a radio frequency transmitter in which an RF amplifier is driven by a voltage control oscillator which is in turn controlled by an RF synthesizer which is responsive to the formatted data signal.
Each of the decoders includes a microprocessor, a frequency agile receiver, memory and a custom gate array. The formatted signal containing the data code and object code is sensed by the frequency agile receiver which, under the direction of the microprocessor, scans for frequencies at which data identified by the microprocessor will be available. When an appropriate data containing frequency is sensed, the microprocessor causes the selected portions of data code and object code contained in the formatted signal to be passed to the memory for storage. The microprocessor then accesses the object code which was passed to the storing means to control the processing of the data code which was passed to the storing means. The custom gate array receives the data code and object code from the frequency agile receiver, passes it to the memory and ultimately, under the direction of the microprocessor, passes processed portions of the data code to the customer""s video display device.
Each decoder also includes a boot ROM containing a small portion of the object code to enable the microprocessor to receive the full object code contained in the formatted signal.
The present interactive, video display, data system broadcasts from a single point to multiple units and is not bidirectional. If it is desirable that the system be secure against unauthorized use, then the encrypted data stream must be decrypted simultaneously by many receivers. Each receiver must be able to use the same key to decode the data stream. Smart cards are used to securely hold the keys and allow secure distribution of the keys.
The data stream is encrypted using a random seed key. While the seed key changes from time to time in a random fashion, all data sent at any particular time uses the same key. The seed key is doubly encrypted, using keys that are contained and completely locked into every smart card. This random seed is transmitted in the clear with the encrypted data stream and with pointers to indicate which keys were used. This random seed is passed into the smart card and doubly encrypted before the result can be read out. The encrypted key is now passed to decryption hardware in the decoder to decrypt the data stream. Because the keys are never read out from the smart card and are completely locked, the system is secure against discovery of the hidden keys. No commands issued to the smart card will reveal these keys. The random seed precludes the possibility of finding a fixed key that will always work and the double encryption makes it virtually impossible to figure out the two hidden keys by brute force on the algorithm.
To secure key distribution, the hidden keys used in the smart card are only valid for a specific period of time. The system may use one key per month and may also periodically change the system wide keys. New keys are loadable into the smart card without someone else being able to determine them. When an upgrade card containing new keys is distributed, the decoder transfers these new keys into the existing smart card in a secure fashion. During the transfer, the keys are not identifiable. Furthermore, the transfer is unique from decoder to decoder. Otherwise, the data stream from the upgrade card can be recorded and used on another decoder without having to know the keys or protocols. In addition, the upgrade card is not usable by any other decoder after it has been used once. But, the upgrade card is reusable for the same decoder in the event that the upgrade didn""t function correctly, due, for example, to power failure during the process or user error. Finally, the upgrade card is generic so that it can be used on any card. To accomplish this, each decoder smart card contains a set of xe2x80x9crandomxe2x80x9d and unique numbers, basically secret serial numbers. These can only be read out in encrypted format. One of a set of system wide keys is used to read out a particular serial number. This encrypted serial number is transferred to the upgrade card and decrypted by pointing to the same system wide key that resides in the upgrade card. The serial number is now locked in the upgrade card but has not been revealed by the data stream because it was encrypted. The serial number plus a different system key is used to encrypt the new monthly keys to be transferred to the decoder smart card. At the decoder smart card, the new keys are locked and decrypted into files.
This process resolves all the above concerns. All transfers are encrypted using hidden keys. The transfers use a serial number which is unique to each decoder. Once the serial number is stored in the upgrade card it cannot be changed or removed, so this prevents a different decoder from using the upgrade card. The upgrade card can still be used to upgrade the decoder smart card in case of a transfer failure. There is nothing specific in the upgrade card that prevents it from being used with any valid decoder.